Federal Trade Commission

Overview of Statutory Authority to Remedy Privacy
Infringements

a) Power to prohibit unfair and deceptive practices.

Under 15
U.S.C. § 45(a)(2) (section 5 of the Federal Trade Commission
Act) the Federal Trade Commission ("FTC") is empowered to "prevent
persons, partnerships, or corporations" from using "unfair methods of
competition in or affecting commerce, and unfair or deceptive acts or
practices in or affecting commerce." Although this law does not grant
the FTC specific authority to protect privacy, over the last number
of years it has been construed to prohibit certain privacy invasions
based on deception. So, for example, if a company makes a written
promise on its website or in any other company literature to abide by
certain practices and then later breaches, or fails to meet, that
promise it may be prosecuted by the FTC for committing an unfair and
deceptive practice contrary to section 5 of the FTC Act.

Although this authority is useful where there is a clear violation
of a previous commitment, it is not a sufficient substitute for a
comprehensive and enforceable privacy law. It does not require data
collectors to abide by standard Fair Information Practices such as
notice, consent, use limitation, access and security. An "unfair and
deceptive practice", as defined by the Commission, includes only a
violation of a former written agreement (such as a privacy policy).
There is no obligation on companies to actually post such a policy.
In its own words:

This leads to the curious situation whereby a company without a
privacy policy is arguably less likely to be punished for privacy
invasive practices than a company with a privacy policy. Although the
agency itself may encourage companies to follow good principles, it
lacks the statutory authority to require them to do so.

In addition, individuals have no right to private action under the
FTC Act nor can they compel the agency to act on their behalf.
Consumers are entitled to notify the FTC of market failures by
submitting complaints against specific companies, however, the FTC is
not under any obligation to review or respond to individual privacy
complaints. [2] Where the agency does take
a case, it acts entirely according to its own discretion. There is no
opportunity for individuals to be involved and even judicial review
is expressly precluded by the Act. [3]

In June 2000, following three years of detailed marketplace study
the FTC concluded in its annual report
to Congress that new privacy legislation was necessary to protect
consumers against privacy invasions in the online marketplace. The
report called on Congress to enact legislation that would "establish
basic standards of practice for the collection of information online,
and provide an implementing agency with the authority to promulgate
more detailed standards." This position was reversed, however, in
October 2001 by new FTC Chairman Timothy Muris. In announcing a
new
privacy agenda for the agency the Chairman stated that it was
"too soon" to recommend broad-based online privacy legislation and
that there needed to be developed "better information about how such
legislation would work and the costs and benefits it would generate."

b) Other Powers

The FTC is also responsible for overseeing and enforcing the
privacy provisions of the following laws:

i) The
Fair Credit Reporting Act (15 U.S.C. §1681-1681 (u), as
amended) which regulates the use and disclosure of "consumer reports"
by consumer reporting agencies;

iv) the Gramm-Leach-Bliley
Act ( 15 U.S.C § 6801-6827) which provides limited "notice"
and "opt-out" rights to consumers over their financial records; and

v) the Identity
Theft Assumption and Deterrence Act (18 U.S.C. § 1028) which strengthens
the criminal laws governing identity theft and charges the FTC which establishing
a centralized complaint and consumer education service for victims of identity
theft.

c) How the FTC Takes an Action

If the FTC believes that a company is engaging in an unfair or
deceptive practice, it initially attempts to negotiate a settlement
with the company. A successful settlement results in a consent
decree, under which the company voluntarily agrees to refrain from
the disputed practice and to take steps to remedy the situation,
without admitting any violation of law. The order is then placed on
record for a public comment period of 60 days. After this period the
Commission decides whether to make the consent agreement
final.[4] If the consent order becomes
final, it has the force of law and violations are subject to a civil
penalty.[5]

If no settlement can be reached, the FTC may bring an enforcement
action (issue a complaint) against a party if it believes that the
party was engaging in an unlawful practice and that a proceeding
"would be in the interest of the public."[6]
This complaint must set out the specific charges and notify the party
that a formal hearing on the matter will take place before an
administrative law judge within 30 days.[7]
The Commission may also seek a temporary restraining order or
preliminary injunction against a company pending the issuance or
dismissal of a complaint to prevent them from engaging in a deceptive
act or practice.[8] At the hearing,
witnesses submit evidence, give testimony and are examined and
cross-examined. If a violation of law is found, the FTC will issue a
"cease and desist" order instructing the impugned party to refrain
from continuing to engage in the unlawful practice. This decision may
be appealed to the full Commission, which, subject to certain
restrictions, may modify or set aside the order, in whole or in part,
where it is of the opinion that either new conditions of fact or law,
or the public interest, so requires.

Final decisions of the Commission may be appealed, within 60 days
of the date of issuance of the order, to the US Court of Appeals for
any circuit in which the accused practice was used or the accused
party does business.[9] The appeals court
then has full jurisdiction to enter a decree affirming, modifying or
setting aside the order of the Commission. The judgment of the court
is final and subject only to review of the Supreme Court upon
certiorari. There is a civil penalty of up to $11,000, for each
separate violation of the final "cease and desist"
order.[10] Under
section 45(m)(1)(B), the Commission may enforce this penalty against
any party who violates the final cease and desist order if it can
show that they have "actual knowledge or knowledge fairly
implied ..that such act is unfair or deceptive."[11]
Similarly, the Commission may take measures against persons for
engaging in dishonest and fraudulent acts. Section 57b empowers it to
bring a civil action against any person, organization or corporation
that knowingly engages in an unfair and deceptive practice or a
practice "which a reasonable man would have known under the
circumstances was dishonest or fraudulent." In such a case, the
court may grant such relief as it finds necessary "to redress injury
to consumers or other persons, partnerships, and corporations
resulting from the rule violation or the unfair or deceptive act or
practice."

[2] Code of Federal Regulations Title 16,
Chap 1, Part 1, Sec 2.2 empowers "Any individual, partnership,
corporation, association, or organization [to] request the
Commission to institute an investigation in respect to any matter
over which the Commission has jurisdiction." The Commission, however,
retains full discretion to decide whether or not to take the action.

[5] Commission Rule 1.98, set out in
16CFR1.98, as last adjusted in 1996 sets the civil monetary penalty
amount at $11,000 .

[6]15 U.S.C. § 45 (b)

[7] Settlements between the FTC and
respondent companies are often made at this stage also.

[8] 15 U.S.C. § 53(b)

[9] 15 U.S.C. § 45(c)

[10] Supra.

[11] The Commission explains that in
order to prove actual knowledge it would typically show that "it had
provided the violator with a copy of the Commission determination in
question, or a "synopsis" of that determination." See FTC, 'A Brief
Overview of the FTC's Investigative and Law Enforcement Authority',
supra n.4.